Microsoft temporarily disables MSIX protocol handler following malware abuse
Image: Chandler Cruttenden
Catalin Cimpanu February 7, 2022

Microsoft temporarily disables MSIX protocol handler following malware abuse

Microsoft temporarily disables MSIX protocol handler following malware abuse

Microsoft has temporarily disabled the MSIX protocol handler in Windows installations after the Emotet gang has abused it over the past three months to deploy malware on user systems.

The OS maker said it is working on ways to better protect this feature from future abuse but did not say when it expects to re-enable it back on.

What is MSIX and the “ms-appinstaller” protocol handler

Developed specifically for the launch of Windows 10, MSIX is a new file packaging format was designed around the concept of XML manifest files where developers can describe how the installation process can occur, what files are needed, and from where they can be retrieved.

MSIX-format
Image: Microsoft

While it was initially made available for modern Windows versions, MSIX was backported to as far back as Windows 7 via MSIX Core, and today, MSIX-packaged files can be installed on all Windows OS versions.

Typically, these files are served with extensions such as APPX or APPXBUNDLE, containing all the resources needed to install on any OS version. But when users double-click and execute the file, the OS reads the manifest files and only installs the files needed for their platform.

However, for convenience, MSIX-packaged files can also be delivered via the internet via the “ms-appinstaller” protocol, which allows developers to create links like “ms-appinstaller:?source=//website.com/file.appx“.

In these instances, the MSIX protocol handler (ms-appinstaller) initially serves only the manifest XML files, and the OS only retrieves the files they need, saving bandwidth for the user.

How MSIX attacks have been taking place

But in late November 2021, the operators of the Emotet malware botnet have started abusing ms-appinstaller links for attacks against enterprise users.

The group began sending emails, luring users to malicious sites. These sites would claim to contain important documents that recipients needed to view, but for which they needed to install a PDF component.

But this link to the PDF component was actually an “ms-appinstaller://” that claimed to install an Adobe-signed file, but in reality, it installed a version of the BazaarLoader malware.

The problem with these attacks, and the reason why Microsoft disabled the protocol handler, was that the Emotet gang found a way to spoof signatures in MSIX-packaged files.

While Microsoft delivered an initial patch for this issue (CVE-2021-43890) back in December—and even provided Group Policy-based defenses for those who could not update—attacks have continued to take place.

Microsoft’s recent move comes to curtail attacks abusing ms-appinstaller links by disabling the protocol handler itself. This means that these links will not work anymore.

“If you utilize the ms-appinstaller protocol on your website, we recommend that you update the link to your application, removing ‘ms-appinstaller:?source=‘ so that the MSIX package or App Installer file will be downloaded to user’s machine,” Microsoft said last week.

“We recognize that this feature is critical for many enterprise organizations,” it added. “We are looking into introducing a Group Policy that would allow IT administrators to re-enable the protocol and control usage of it within their organizations.”

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.